Impact
An unauthenticated remote information disclosure vulnerability exists in the quantization engine component of Ollama’s Ollama software. The flaw allows an attacker to read arbitrary data from the server’s heap memory, potentially exposing sensitive information such as user data, credentials, or other private data. This exposure can facilitate further attacks, enabling an adversary to compromise the system or maintain stealthy persistence. The weakness involves unintended memory access (CWE-822).
Affected Systems
The affected product is Ollama AI’s Ollama software. The advisory does not specify affected versions; therefore, all currently deployed installations should be considered potentially impacted until an official update is released.
Risk and Exploitability
Since the quantization engine is reachable over the network and no authentication is required, an attacker can trigger the disclosure remotely, making the attack vector high. The EPSS score of <1% indicates a low probability of exploitation in the wild, but the CVSS score of 7.5 signals substantial severity, signaling that the vulnerability could lead to significant data loss if utilized. The vulnerability is not listed in CISA’s KEV catalog, suggesting it is not part of known, active exploitation campaigns.
OpenCVE Enrichment